Blocking all ipv6 traffic

Similar Messages

• Blocking all IGMP traffic

  Hello,
  I?m hoping someone may have the answer to this. I am trying to block ALL types of IGMP traffic on a particular interface on at 3560-24-TS-S.
  We have a Summit 5i switch acting as a core switch for 400 users which all (VLAN 3) participate in a multicast group sourced from one of the servers on the same VLAN 3. All the equipment is managed via VLAN 3. From this Summit 5i core switch we have an untagged hand off to a Cisco 3560 - 24-TS-S which also has 400 DIFFERENT users participating in a multicast group sourced from a server physically connected to this Cisco switch but on VLAN 6. All equipment on this switch is also managed via VLAN 3. The problem I believe is that this handoff between the Summit 5i and the Cisco 3560 are having IGMP querying conflicts and it?s causing multicast troubles on both VLAN 3 and VLAN 6. I did setup the port as protected, blocked "unknown" unicast, multicast traffic and issued a no IP IGMP snooping vlan 3. But still having troubles.
  I am using IGMP v2 and source filtering is not available until v3 so I am not sure how to block ALL IGMP traffic to try and help isolate this as 2 separate networks but still being managed on the same.
  Any help is greatly appreciated...
  Regards,
  Robert

  You can try this and control the IGMP queries on a given interface.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swmcast.htm#wp1177268
  To disable groups on an interface, use the no ip igmp access-group interface configuration command.
  This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2:
  Switch(config)# access-list 1 255.2.2.2 0.0.0.0
  Switch(config-if)# interface gigabitethernet0/1
  Switch(config-if)# ip igmp access-group 1
  HTH-Cheers,
  Swaroop

• RV110W Blocks all inbound traffic

  I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly. Anybody seen this before?

  Hi David,
  Please call the Small Business Support Center and speak with an engineer. The phone numbers for the support center is located here: https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Regards,
  Cindy Toy
  Cisco Small Business Community Manager
  for Cisco Small Business Products
  www.cisco.com/go/smallbizsupport
  twitter: CiscoSBsupport

• Block all incoming traffic and Active FTP

  Will setting the firewall to Block all incoming traffic break Active FTP Connections?
  The firewall will normally dynamically create exceptions for the Connection using the Application Layer Gateway, but will the profile override these?

  Hi TribleTrouble,
  Do you have any issue about FTP active mode?
  If the clients are part of your domain, push the FTP firewall rules via GPO to your clients allowing FTP inbound sockets
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=TCP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=UDP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  For Windows 7, the entire networking stack was rewritten and several security measures were taken to further secure Windows.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• CoreSync.exe blocks all network traffic while (slowly) syncing my Creative Cloud files

  Hello folks,
  Since the latest Creative Cloud update (I'm using version 1.9.0.465 as of this writing), I've been unable to successfully sync my Creative Cloud Files folder.
  First things first, as other forum users have posted elsewhere, when the update installed itself, my Creative Cloud Files folder was moved from my chosen location to its default location (C:\Users\MyUserName) and I've been unable to put it back where I wanted it.
  However, more pressingly, I noticed that every time I booted my computer, neither my wife nor I were able to access the Internet.  After a couple days' trial and error I realized that Creative Cloud was trying (unsuccessfully) to sync about seven files (totaling about 750MB) to the cloud, and anytime the sync was actively working, my network access was completely blocked.  Even the Creative Cloud desktop app itself couldn't access the Internet to authenticate my apps or Typekit fonts.
  I have managed to get much smaller files (1MB, 5MB, up to 15MB) to sync successfully, however this takes a really long time, and no one on my network can manage to load a web page on their device until the sync is complete.
  Right now I've got syncing paused, and everything on my network is working fine.
  For some additional info, I've attached a screen grab of my Networking tab from Task Manager:
  The big spikes in that graph are me and my wife loading up tons of web content-- YouTube videos, a million tabs of who-knows-what, all acting normally.  Then I hit Resume on CC's sync operation, my activity line clamps way down, and no one can load any Internet content anywhere.  After that, I released my computer's IP address from the command prompt, at which point Creative Cloud Desktop returned a connection failure, and I quit the app.  When I renewed my IP address, I noticed our network access was still blocked, even though Creative Cloud was not running.  I traced the problem back to CoreSync.exe, which had continued running even after I'd quit Creative Cloud.  The moment I ended the CoreSync.exe process, everything was back to normal... until I restarted the Creative Cloud app, which in turn restarted CoreSync.exe.  It was only after pausing CC's sync operation that we were able to use the Internet again.
  So!  To sum up, here are my two issues:
  Syncing is entirely broken, and prevents everyone on my network from using the Internet while CC spins its wheels.
  For some reason, following the same update, I'm unable to change the location of my Creative Cloud Files folder.
  Some things I've tried:
  Uninstalling & reinstalling the Creative Cloud Desktop app-- no change
  Clearing my archived files on creative.adobe.com in case there was some weird argument happening between my live/syncing files and my archived files-- no change
  Manually adding CoreSync.exe to my Windows Firewall whitelist-- no change
  Finally, I can recreate this issue on my second computer, running the same version of Creative Cloud but running off wireless instead of Ethernet.  Same symptoms-- feed it a file to sync, and everyone's Internet access is gone until the sync operation [eventually] finishes.
  I'm completely stumped and very frustrated.  I rely heavily on CC's file syncing feature, and as it's the only cloud storage product I'm actually paying for, I'm not willing to abandon it for another service like DropBox.  I'm willing to try just about anything-- and in the meantime I'm just wishing Creative Cloud Desktop app updates weren't compulsory; the last build I'd installed here was working perfectly fine.
  My basic system specs in case it's helpful:
  Windows 7 Professional x64 SP1
  2x Intel Xeon E5-2670 @ 2.6GHz
  64GB DDR3 RAM
  nVidia Quadro 4000
  Any insights would be incredibly appreciated!  Thanks in advance.

  Heyo Dave,
  Thanks so much for your reply and suggestions.  Here's what I've discovered after some more noodling.
  I'm no networking guy, but I can't seem to find anything about my modem or router that would explain why my upstream traffic is being throttled using CC-- especially since it's all the same hardware I was using last week before I updated CC.
  In addition, I've tried test uploading a couple of files using DropBox, Google Drive, and WeTransfer.com, and neither process interrupts Internet use on my network.
  With all that said, I did go in and pull back my Transfer Speed settings in CC from Maximum to Low, and that made a big difference!  Syncing continued to work, and our other network requests were working just fine.  I managed to get my upload speed set as high as Medium; High and Maximum both kill my network within seconds of being set.
  So I'm not sure what was done to the CC application in this release to supposedly enable us to "Sync Files and Fonts faster" (from the release notes), but whatever it is, it's got my uploads capping at 100Kbps (compared to a minimum 350Kbps using Google Drive) unless no one in my home wants to check their email for the next hour.  That's a significant bummer for me, as my After Effects projects regularly swell to ~50MB toward the end of a project.
  I'd like to submit a big report here, since really the only variable at play in this situation was the Creative Cloud update.  However, unfortunately it looks like the bug report form is down...  I'll have to try again later.
  In the meantime, if there are any other suggestions for experiments I can run on this beast, I'm happy to oblige and report back in case other folks with similar issues can get some relief!
  Thanks again,
  Jared

• ACLs on Dot11Radio interface blocks ALL traffic

  On an AP1220 w/IOS 12.2(11)JA1, all traffic is blocked when an ACL is applied on either the RF interface or the FastE interface, even explicitly permitted traffic. Also, using the "log" command after an ACL line fails to log anything. Below is the ACL I want to apply to the Dot11Radio 0 interface. It blocks ALL traffic:
  access-list 100 permit udp any any eq bootpc log
  access-list 100 permit tcp any host 10.0.0.1 eq 1723 log
  access-list 100 permit gre any host 10.0.0.1 log
  access-list 100 deny ip any any log
  Here is a test ACL that blocked ALL traffic, as well:
  access-list 101 permit udp any any log
  access-list 101 permit tcp any any log
  access-list 101 permit icmp any any log
  access-list 101 permit ip any any log
  Both ACLs blocked all traffic and failed to log a single event. If the ACL is removed, everything works. HELP!

  It's a known bug CSCec28612 - AP1200 access-list doesnt work on radio int with a log keyword

• How to configure DNS server to redirect all web traffic to one external website?

  I'd like to use the DNS service on my OS X Server as a way to force all all web traffic to one specific, external website. Not quite sure how to go about configuring it, though - any recommendations?
  (BTW, this is, obviously, not our primary DNS server; I intend to silently update the preferred DNS server for users who fail to complete their timesheets in order to force the issue)

  Web clients don't generate uniquely-identifiable DNS queries; there's no SRV request or related traffic that you could select on and spoof.  So if you do implement this, everything querying the spoofing DNS server will get the spoofed host, or you'll have to spot specific queries that are likely web queries; Facebook, Google, Bing, etc. 
  If you still want to implement this, then I'd probably replace the DNS server with a runt DNS server (maybe hack dnsmasq or maraDNS, or create yourself a trivial DNS server) and have that always return the specified IP address.  This avoids having to hack BIND to be universally authoritative, which is probably on par with hacking a simpler DNS server to always return a fixed IP address, and the latter is probably easier to undo.
  A firewall can spot TCP port 80 and port 443 traffic, unlike a DNS server.   Firewalling outbound port 80 traffic is more typical of these requests, and either trap that traffic to a specific web page based on the capabilities of the firewall, or the web proxy approach that Camelot suggests.  There are folks that tie access into the web proxies into external authentication and related; that'd be able to do what you want.   Web proxies are usually combined with firewall blocks, as most sites want only the web proxy to have external access, too.  But this is also rather more pieces than a DNS redirect, too.

• Block guest mDNS traffic on business LAN

  For my company, I am running a Cisco 5508 WLC with a 4400 WLC as a guest anchor in our DMZ.  There is a guest SSID and several business SSID's for internal equipment.  Guest traffic should be tunneled out to the 4400 controller where [the client] gets its IP address and is sent out to the internet.  No internal corporate access is possible.  However, when I do a packet capture from my wired PC, I'm seeing traffic generated by different iPhones.  It appears to be mostly IPv6 mDNS or ICMPv6 traffic.  How would this traffic make it onto the corporate wired network, when it should be staying on the guest network?  None of the iPhones have been setup on the business SSIDs, so I know it isn't legit traffic.  Is there a setting in the WLC that will block this?  Will an ACL work?
  These are examples of some of the traffic that wireshark is capturing:
  349          7.794875          fe80::e77:1aff:fe3c:f81          ff02::fb          MDNS          253          Standard query response PTR, cache flush Tonyas-iPhone-2.local PTR, cache flush Tonyas-iPhone-2.local
  356          7.802667          fe80::e77:1aff:fe3c:f81          ff02::fb          MDNS          151          Standard query ANY Tonyas-iPhone-2.local, "QU" question ANY Tonyas-iPhone-2.local, "QU" question
  361          7.806964          fe80::e77:1aff:fe3c:f81          ff02::fb          MDNS          151          Standard query ANY Tonyas-iPhone-2.local, "QM" question ANY Tonyas-iPhone-2.local, "QM" question
  Both controllers are running software version 6.0.196.0.  I also have a WCS server running version 7.0.220.
  Thanks!
  Joe P.

  Well, you are asking a valid question but unfortunately I don't know the answer. I tried to find in config guide and multicast design guide if there disabling mylticast affects only L3 multicat or both L3 and L2 multicast but I unfortunately could not find an answer.
  Just one hint came to my mind, do you have Ipv6 bridging enabled under your WLAN (under advanced tab)?
  I think it is enabled so you may try disabling it. That would possibly stop the IPv6 traffic.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wp1345783
  HTH
  Amjad

• IPv4/ IPV6 Traffic Discrimination and Monitoring

  Hi Guys
  I would appreciate a lot your experiences and best practices about operating and monitoring dual stack networks in Service Provider environments. Currently we're working in a 6VPE model for Internet customers in order to provide dual stack services, but we are looking for a way that allows us discriminate and monitor both the IPv4 and IPv6 traffic separately. 
  Does anyone could to share his experiences, how did they were addressed?
  What kind of monitoring tools have you used? 
  What did you do in order to guarantee a reliable monitoring strategy?
  I will appreciate your support a lot.
  Marcelo

  Hi Russell,
  I'm in the process of writing a program to do this as I've not seen anything that provides this function available.
  For your wired network you should have an inventory of assets containing at least MAC addresses and the user who owns the device.
  On your wireless networks you will probably be using SLAAC and I guess you must be using 802.1x in which case you will be able to identify users to MAC addresses.
  Essentially you need to periodically gather (less than the age timer) the IPv6 neighbour table from your core switches (or any edge etc, if it routes), this will give you the GUA and ULA against the MAC address. If you using an type of authentication parse those logs for usernames and MAC addresses.
  Stir it all together in a database and you should have timestamp, IPv6 address, MAC and user .
  cheers,
  Seb.

• Does IPv6 traffic "pass-through" or "drop" by cisco waas?

  Since cisco waas is not yet supported IPv6, if i am running IPv4 and IPv6 dual stack mode on the same circuit, does IPv6 traffic get dropped by the waas or does waas put IPv6 traffic in "pass-through" mode and let it goes?  I am thinking, waas will treat IPv6 as non-IP traffic and will let it goes.  Am i right?
   

  Hi Joe and Kanwai,
  One note though - if your running WCCP as the redirection mode, you won't get the IPv6 traffic redirected, as WCCP does NOT support IPv6. Hence you won't see IPv6 traffic at all on the WAAS device.
  Best Regards
  Finn Poulsen

• Blocking all MAC addresses except for the ones you allow

  I have a Cisco Aironet 1200 Access Point. I want to block all MAC addresses from accessing the access point, except for the ones I've allowed. First I went to the Address Filters page and clicked on Allowed, then listed all the MAC address I want to be able to access the access point. Then I went to the Ethernet Advanced page, and set the Default Multicast Address Filter to Disallowed, and the Default Unicast Address Filter to Disallowed. Then I went to the AP Radio: Internal Advanced page, clicked on the Advanced Primary SSID Setup link, and set the Default Unicast Address Filter to Disallowed. Accept Authentication Type is set to Open with Shared and Network-EAP cleared, and the Require EAP check boxes are all cleared.
  When using a computer whose MAC address is not listed on the Address Filters page, I am still able to connect to the network through the access point. I am also able to connect to the access point from any pc on my network by entering its IP address in Internet Explorer.
  What do I need to do to block any pc without a listed MAC address from connecting to the access point?
  Thanks, Jeff

  Here's the instructions and URL on how to create an MAC based filter:
  Follow these steps to create a MAC address filter:
  Step 1 Follow the link path to the Address Filters page.
  Step 2 Type a destination MAC address in the New MAC Address Filter: Dest
  MAC Address field. You can type the address with colons separating the character pairs
  (00:40:96:12:34:56, for example) or without any intervening characters (004096123456, for example).
  Note If you plan to disallow traffic to all MAC addresses except
  those you specify as allowed, put your own MAC address in the list of allowed MAC
  addresses. If you plan to disallow multicast traffic, add the broadcast MAC address
  (ffffffffffff) to the list of allowed addresses.
  Step 3 Click Allowed to pass traffic to the MAC address or click Disallowed
  to discard traffic to the MAC address.
  Step 4 Click Add. The MAC address appears in the Existing MAC Address
  Filters list. To remove the MAC address from the list, select it and click Remove.
  Step 5 Click OK. You return automatically to the Setup page.
  Step 6 Click Advanced in the AP Radio row of the Network Ports section at
  the bottom of the Setup page for the radio you want to configure. The AP Radio Advanced page appears.

• Receive IPv6 traffic - kernel panic?

  I configured an IPv4 -> IPv6 tunnel on my firewall via he.net and set my default route for inet6 traffic to the remote side. Then I got a /64 network assigned from he.net and IP'd my internal network, include my MacBook Pro running OS X 10.4.8.
  I can do a traceroute6 from my Mac to external sites just fine. It uses the IPv6 tunnel exactly as expected (I set my default route for IPv6 on my Mac to be the IPv6 address of the internal interface of my firewall). When I tried to use an external site to do a traceroute6 back to my Mac, it panicked!
  Perhaps there is some problem with the Intel version of the Yukon driver (Marvell Yukon gigabit ethernet)? Has anyone else had kernel panics when on the receiving end of inbound IPv6 traffic (that wasn't in response to an outbound connection)?
  Here's the crash report:
  panic(cpu 0 caller 0x0035BEAC): freeing free mbuf
  Backtrace, Format - Frame : Return Address (4 potential args on stack)
  0x251e3db8 : 0x128d1f (0x3c9540 0x251e3ddc 0x131df4 0x0)
  0x251e3df8 : 0x35beac (0x3e9c7c 0x1dfba 0x87c4b9fe 0x1dfba)
  0x251e3e38 : 0x7314a4 (0x36e07600 0x0 0x251e3e68 0x1a1ec0)
  0x251e3e58 : 0xa6d454 (0x237f1000 0x36e07600 0x0 0x2)
  0x251e3e88 : 0xa6bad0 (0x237f1000 0x36e07600 0x0 0x38dbc80)
  0x251e3ea8 : 0xa6ed7c (0x237f1000 0x0 0x1000000 0x133b25)
  0x251e3f08 : 0x398a1f (0x237f1000 0x38dbc80 0x1 0x37b5d08)
  0x251e3f58 : 0x397bf1 (0x38dbc80 0x135ec3 0x0 0x37b5d08)
  0x251e3f88 : 0x397927 (0x38d7480 0x0 0xee6b280 0x13869f)
  0x251e3fc8 : 0x19a74c (0x38d7480 0x0 0x4 0x4eae6b8) Backtrace terminated-invalid frame pointer 0x0
  Kernel loadable modules in backtrace (with dependencies):
  com.apple.iokit.AppleYukon(1.0.7b3)@0xa69000
  dependency: com.apple.iokit.IONetworkingFamily(1.5.1)@0x72a000
  dependency: com.apple.iokit.IOPCIFamily(2.1)@0x5ee000
  com.apple.iokit.IONetworkingFamily(1.5.1)@0x72a000
  Kernel version:
  Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386
  Model: MacBookPro1,1, BootROM MBP11.0055.B08, 2 processors, Intel Core Duo, 2.16 GHz, 2 GB
  Graphics: ATI Radeon X1600, ATY,RadeonX1600, PCIe, 256 MB
  Memory Module: BANK 0/DIMM0, 1 GB, DDR2 SDRAM, 667 MHz
  Memory Module: BANK 1/DIMM1, 1 GB, DDR2 SDRAM, 667 MHz
  AirPort: spairportwireless_card_type_airportextreme (0x168C, 0x86), 0.1.27
  Bluetooth: Version 1.7.9f12, 2 service, 0 devices, 1 incoming serial ports
  Network Service: Built-in Ethernet, Ethernet, en0
  Network Service: AirPort, AirPort, en1
  Serial ATA Device: ST910021AS, 93.16 GB
  Parallel ATA Device: MATSHITADVD-R UJ-857
  USB Device: Built-in iSight, Micron, Up to 480 Mb/sec, 500 mA
  USB Device: Apple Internal Keyboard / Trackpad, Apple Computer, Up to 12 Mb/sec, 500 mA
  USB Device: IR Receiver, Apple Computer, Inc., Up to 12 Mb/sec, 500 mA
  USB Device: Bluetooth HCI, Up to 12 Mb/sec, 500 mA

  MTU on the ethernet interfaces of the Mac and the inside the firewall are both 1500 (normal). My switch is only FE so the Mac's NIC auto-neg'd to 100/full. The MTU of the 4->6 tunnel is 1280. I believe that's because of the encapsulation overhead (it has to send the IPv6 packets inside IPv4 packets).
  In any case, it's not using Jumbo Frames (I don't think the switch even supports them).
  I was thinking it might be a problem with the longer address and endianness. For instance, maybe on the Intel platform they did a quick patch to make the address pointer move over a fixed 4 bytes, then read backwards by the length of the address. That would work fine for 4 byte (i.e. IPv4) addresses, but on 16 byte (IPv6) addresses it would go horribly wrong (shift 4 bytes, then read backwards 16 bytes, uh oh!).
  Apparently it only affects some of the code paths, because I can send out IPv6 packets and accept the responses. It was only when I received an unsolicited IPv6 packet that it panicked.
  It's all just a wild guess any way. I would like to experiment with it a little more, but I really don't feel like causing multiple kernel panics and possibly corrupting my file system from the resulting hard-resets.

• Block all ip addresses except one

  I want to block all ip addresses except one from connecting to the computer. Is there a device (firewall) for the same?

  Hi,
  If you have an existing firewall and the traffic destined for that host is going through the firewall then naturally you can use the firewall to block the traffic. The firewall however wont be able to control the traffic between the devices in the same network.
  It would seem to me though that you are probably looking for something to enable blocking connections on a certain host/PC from all but one source IP address. This would sound more like a situation where you would use some software on the host/PC itself to control the access.
  Cant say much more with the provided information which was minimal.
  - Jouni

• Why WRT54G ver 7 blocks all UDP broadcasts?

  My WRT54G seems to be blocking all UDP broadcasts in the intranet side. Is there an option somewhere, which controls this behaviour, because I have not found one.
  It does not matter, if I connect my laptop with a cable or by WLAN, no UDP broadcast packets from my server to the laptop go through.
  If I connect to either one of my regular switches, UDP broadcast works perfectly.
  Note that I'm not using the WAN port at all, so I would expect no filtering on the traffic.

  Interesting! 
  For sake of argument, can you try using the broadcast address of 255.255.255.255 - this is a limited (local network only) broadcast.
  Can you see the MAC (layer 2/ethernet) portion with your tool? 
  The MAC of the destination needs to be all FFs (all ones) for broadcasts. 
  I am wondering if something is happening at a lower level - like in how switching is implemented in the linksys.  I wonder if a linksys switch (only) also does this.
  NOTE - ICMP echo (PINGS) do go through my WRV54G to specific addresses and broacdcast the x.x.x.255 addresses. 

• SA520W Content Filtering blocks all URL

  My current config is using the SA520W with firwmware 2.1.18.
  I have enabled ProtecLink Web with the following settings.
  Global Settings>Approved Clients = Enable approved Clients: Checked
  Global Settings>Approved URLs = Enable Approved URLs List: Checked
  Web Protection>Overflow Control = Temporarily Block URL requests: Checked
  Web Protection>Web Threat Protection = Not Enabled
  Web Protection>URL Filtering = Enable URL Filtering: Checked
  Web Protection>URL Filtering = Enable Check Referer: Checked
  Web Protection>URL Filtering = HTTP Ports: 80
  Filtered Catagories
  Computers/Harmful = All are checked for Business and Leisure hours.
  The issue I am having is that this is blocking all traffic through the device, accept for traffic on port 443 HTTPS. I am able to load pages that are directed to HTTPS. Is there an issue with how I have this configuration setup, or is there an issue with the firmware?
  Thanks
  Robert

  Hi Robert,
  I am using the setup described in your email below but not able to reproduce the issue reported. I have tried some sites and able to browse successfully. Few are the examples:
  www.google.com, www.yahoo.com, www.apple.com, www.cnn.com, www.facebook.com, www.ebay.com, www.amazon.com
  I did see some advertisements frames got blocked in some websites as well as advertisement sites like www.craigslist.com been blocked due to 'Computers/Harmful' category selected for URL filtering.
  Can you let me know some sites that are blocked in your setup. Also which browser are you using for your http traffic.
  Thanks,
  Nitin.